How can I collect systemd journal events (pull) or forward systemd journal events (push)?
I want to have something like forwarded event log (http://windows.tips.net/T012878_What_is_the_Purpose_of_the_Forwarded_Events_Event_Log.html) but under Linux.
I'm using ArchLinux but not sure this matters.
Should I forward journal to syslog and then collect syslog? Will I loose any info by doing so? Can I collect journal messages without syslog daemon?
Forwarding messages to legacy software like syslog gives you nothing but overhead.
Instead you can implement both models using native journald features.
Push model:
(log source) systemd-journal-upload -> systemd-journal-remote (log collector)
Pull model:
(log source) systemd-journal-gatewayd <- systemd-journal-remote (log collector)
The arrow shows who initiates the connection. HTTPS is used as a transport so it's secure.
The more information can be obtained from:
http://www.freedesktop.org/software/systemd/man/systemd-journal-remote.html
http://www.freedesktop.org/software/systemd/man/systemd-journal-upload.html
and so on.
Both syslog or rsyslog are a good idea, both can handle local and remote logging. It's usually done using UDP, so yes, messages can be lost. rsyslog can be configured to use TCP and even TLS, though.
You could have a hybrid deployment, e.g. have syslog as sender and rsyslog as receiver.
With syslog you can write something like:
*.*;*.!notice @192.168.100.220
in /etc/syslog.conf on sender and
$ModLoad imudp.so
$UDPServerRun 514
in /etc/rsyslog.conf on receiver and get all your messages collected on receiver.
How about deploying logstash or fluentd to collect your logs and may be you can forward them later to syslog, splung, appDynamics ...etc or any legacy software
